Computer networks that can carry mixed media messages over standard protocols, including voice, video, and data traffic, are undergoing intensive technical development. There is particular interest in developing and deploying networks that can carry voice over Internet Protocol (IP), video over IP, and other media. In these networks, it is important to ensure that consistent treatment, or quality of service, is applied by all intermediate network elements in a path from sender to receiver for a particular message flow. Accordingly, various quality of service management systems are now available. Certain leading systems of this type enable a user or administrator to create and store abstract quality of service policies in terms of collections of rules and policy objects. An example of such as system is QoS Policy Manager, commercially available from Cisco Systems, Inc.
Concurrently, those of skill in this field have developed an interest in using directory services as a repository for storing a representation of quality of service policies, and other information about physical and logical elements of the network. Directory services based on the ITU X.500 standard, or based on other standards such as Lightweight Directory Access Protocol (LDAP), are receiving particular attention. Microsoft Active Directory is an example of a commercial directory service product.
Integration of quality of service systems and directory services presents certain problems. Many of these problems arise from the fact that while a directory service provides a data repository, it is not a complete database system and lacks many native services offered by relational database systems and object-oriented databases systems, e.g., SQL Server, Oracle, Sybase, etc. For example, directory services do not support protected atomic transaction processing. There is no mechanism for initiating a transaction and then committing changes carried out in the transaction to a database of the directory server. LDAP does not support multiple operation transactions, bundling of atomic operations as a transaction, transaction commit, providing “cursor stability,” etc. As a result, data consistency problems arise.
For example, one entity may read policy information, another entity may write policy information, and the reading and writing operations may not necessarily be coordinated. For example, a policy management system may write policy information to the directory, and a policy server may fetch the information at the same time or too soon. There is no automatic coordination of data from a producer of data and a consumer of data. As a result, a data consumer may read data that is out of synchronization with the producer of data, and the consumer is at risk of reading data that is incomplete or out-of-date.
Another problem is that obsolete policies may persist in the network. If a user edits a policy, a consumer of the policy needs to receive the entire revised policy rather than only the modified portion. Under current approaches, distribution of complete updates is not assured.
Still another problem arises from the typical constraint that a user must accept the entire collection of policy rules or objects that are currently in force for a particular network. The policies need to be consistent and complete for proper processing by consumer processes. Further, only those policies that are approved by an administrator for deployment to the network should be made available. Distributing a partial policy to a process that reads, uses or otherwise consumes a policy (“reader”) is undesirable. However, it cannot be prevented in current approaches because the typical quality of service management system does not fully control the directory service or prohibit other applications from reading the directory information. Maintaining consistency and completeness of policy information, while processes are reading and writing the policy information, is difficult given the inherent deficiencies of LDAP and other directory service mechanisms.
In past approaches, certain object-oriented policy information models and schemas have been proposed for use in some quality of service management systems. For example, a policy framework is described in Y. Snir et al., “QoS Policy Framework Information Model,” Internet-Draft, draft-snir-qos-policy-schema-01.txt (first posted October, 1999), and in J. Strassner et al., “Policy Framework LDAP Core Schema,” Internet-Draft, draft-ietf-policy-core-schema-06.txt (first posted Nov. 4, 1999). However, these approaches do not address problems that arise in using directory services, including data concurrency, LDAP client behavior, data integrity, and other implementation issues. There is a need in this field for a way to integrate a quality of service policy management system with a directory service while overcoming these integration problems.
Tree locking is one possible approach to these problems. In tree locking, the directory tree is locked by a reader or writer process until that process is complete. However, this creates the undesirable possibility that the tree could be locked and then the reader or writer process could crash, leaving the tree locked perpetually. In the policy management environment, this possibility cannot be eliminated because the directory tree and consumer processes are not commonly controlled.
Based on the foregoing, there is a clear need in this field for a way to integrate a directory service with a policy management system while circumventing the problems of data consistency associated with the prior art.
In particular, there is a need for a way to update policy information in one operation, and make the data known in a separate operation that ensures data integrity and consistency between a directory server and a policy server.
There is also a need for a way to update a data store of a directory server, for example, a directory server that communicates to other applications using LDAP, in a way that keeps the data store consistent with any other external data store.